Hoteliers and NIS2: Navigating the EU’s Cybersecurity Law

New cybersecurity regulations under the European Union’s Network and Information Security Directive (NIS2) are set to take effect in October 2024. Aimed at enhancing global cybersecurity frameworks, NIS2 will have significant implications for industries worldwide, including hospitality.

In this week’s edition of the VENZA Echo, we explore what NIS2 is, its key components, and what these new rules mean for hoteliers around the globe.

Highlights

*The NIS2 Directive expands EU cybersecurity regulations, impacting more sectors with a focus on risk management and supply chain security.

*It applies to essential services and digital providers, requiring compliance by October 2024.

*Hoteliers may be indirectly affected by NIS2 due to digital operations and data handling.

What is NIS2?

The NIS2 Directive is an updated EU cybersecurity framework that expands upon the 2016 NIS Directive, focusing on enhanced risk management and supply chain security.

It broadens the NIS Directive’s applicability to more sectors and companies and mandates stricter compliance requirements.

Adopted by the European Parliament and Council in November 2022, NIS2 officially took effect on January 2023. EU member states are required to incorporate these provisions into their national laws by 17 October 2024.

What is Applicable?

NIS2 applies to entities across 11 “essential” sectors and 7 “important” sectors.

Specifically, the directive applies to: 

*Essential Service Operators (OES): Entities critical to societal operations, like energy, water, and healthcare providers. Compliance with the NIS2 Directive is mandatory for all OES, regardless of their size.

*Digital Service Providers (DSPs): Companies that offer online services, including e-commerce, cloud computing, and search engines. Compliance with NIS2 is determined by the DSP’s size, based on employee numbers and revenue.

>Medium DSPs: 50+ employees and €10 million+ annual turnover.

>Large DSPs: 250+ employees and €50 million+ annual turnover.

Although the hospitality industry is not explicitly listed, digital services within this sector could be affected, particularly if they meet the size criteria for DSPs.

What are the Requirements?

NIS2 introduces several comprehensive requirements to bolster the security of network and information systems across the EU. Unlike the original directive, it takes on a more risk management approach, addressing both digital and physical security risks.

Key requirements include:

Risk Management

*Maintaining an inventory of critical assets with regular assessments of network and information systems.

*Implementation of security measures, including policies, employee training, encryption, and vulnerability management.

Incident Response and Reporting:

*Implementation of incident detection, classification, and reporting.

*Enforcement of timelines for reporting cybersecurity incidents, requiring businesses to report within 24 hours of discovering an incident and to submit a comprehensive report within 72 hours.

Business Continuity:

*Development of continuity and disaster recovery plans.

*Implementation of backup management and communication protocols.

Supply Chain Security:

*Assessment and management of risks across the supply chain.

*Security measures for suppliers and service providers.

Entities within the scope of NIS2 that fail to comply can face steep financial penalties. This includes fines of up to €10 million or 2% of global turnover. For more severe infractions, businesses may be subject to €20 million or 4% of global turnover.

National authorities can also impose measures like suspending or restricting an entity’s activities to safeguard network and information system security.

What’s the Impact on Hoteliers?

Although hospitality isn’t directly governed by NIS2, the directive enforces strict cybersecurity measures on key service providers that hoteliers rely on, such as Managed Service Providers (MSPs) and online reservation platforms. This could potentially see hoteliers, especially those heavily dependent on these digital services, held to greater cybersecurity and data protection measures.

For example, if an MSP manages a hotel’s cybersecurity infrastructure, it may need to implement and maintain more robust security measures to comply with NIS2.

Moreover, similar to how GDPR sets a global benchmark for data protection, NIS2 could potentially do the same for cybersecurity practices worldwide. Compliance with NIS2 will likely extend beyond the EU, influencing global operations and raising cybersecurity standards internationally. The ripple effect could lead to the widespread adoption of enhanced security protocols, making robust cybersecurity the norm across industries.

For hoteliers, even those operating outside the EU, aligning with NIS2 is crucial. Doing so not strengthens overall security, safeguarding both guest data and business operations.

Conclusion

The NIS2 Directive represents a significant evolution in EU cybersecurity legislation, with wide-reaching impacts for businesses, including those in the hospitality industry

By understanding and adhering to NIS2, hoteliers can not only comply with legal obligations but also enhance their cybersecurity defenses.

Feeling overwhelmed? Don’t be. As a leader in hospitality data protection, VENZA provides vendor security assessments and privacy management solutions to help hoteliers navigate the evolving global regulatory landscape.

Ready to get started? Contact Sales to discuss signing up for our programs or adding new solutions to your contract.

***

Take VENZA’s free Phishing Test to assess gaps in your human firewall today!

Human Firewall

Training your personnel to recognize and report phishing attempts is essential to protecting your guests and their data. Get started by determining your risk and readiness level using this free tool.

***

Want to stay informed? Subscribe to the free VENZA Echo now. You’ll receive a monthly digest with the highlights of our weekly article series and important product updates and news from VENZA.